a vulnerability in the register username field or the login username field?
both are protected so i dont know whats going on there.
if (!get_magic_quotes_gpc()) {
$_POST['pass'] = trim(stripslashes(mysql_real_escape_string($_POST['pass'])));
$_POST['username'] = trim(stripslashes(mysql_real_escape_string($_POST['username'])));
}